I've just noticed that on my new server (ns5.cdbsystems.com) though named is running and I followed the install-chroot-bind howto, I cant get to it from outside world. when I do dig @ns5.cdbsystems.com cdbsystems.com I get REFUSED form dig. my other nameserver dig @ns4.cdbsystems.com cdbsystems.com reponds normally. how can I tell what named is up to? one complicating factor is I have it behind a xincom dual-wan router. The centos 5.1 server has a static ip of 192.168.2.50 and I have the router passing through all dns / port 53 request (tcp and udp) to this static ip. the router ip is 71.163.161.26 which is of course what ns5.cdbsystems.com is saved as at godaddy (the registrar) and ns4.cdbsystems.com. doing /etc/rc.d/rc3.d/S13named restart messages contains: May 14 13:50:29 ns5 named[1999]: shutting down: flushing changes May 14 13:50:29 ns5 named[1999]: stopping command channel on 127.0.0.1#953 May 14 13:50:29 ns5 named[1999]: stopping command channel on ::1#953 May 14 13:50:29 ns5 named[1999]: no longer listening on 127.0.0.1#53 May 14 13:50:29 ns5 named[1999]: no longer listening on 192.168.2.50#53 May 14 13:50:29 ns5 named[1999]: exiting May 14 13:50:31 ns5 named[3456]: starting BIND 9.3.3rc2 -u named -t /var/named/chroot May 14 13:50:31 ns5 named[3456]: found 2 CPUs, using 2 worker threads May 14 13:50:31 ns5 named[3456]: loading configuration from '/etc/named.conf' May 14 13:50:31 ns5 named[3456]: listening on IPv4 interface lo, 127.0.0.1#53 May 14 13:50:31 ns5 named[3456]: listening on IPv4 interface eth0, 192.168.2.50#53 May 14 13:50:31 ns5 named[3456]: command channel listening on 127.0.0.1#953 May 14 13:50:31 ns5 named[3456]: command channel listening on ::1#953 May 14 13:50:31 ns5 named[3456]: zone 0.in-addr.arpa/IN/localhost_resolver: loaded serial 42 May 14 13:50:31 ns5 named[3456]: zone 0.0.127.in-addr.arpa/IN/localhost_resolver: loaded serial 1997022700 May 14 13:50:31 ns5 named[3456]: zone 255.in-addr.arpa/IN/localhost_resolver: loaded serial 42 May 14 13:50:31 ns5 named[3456]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver: loaded serial 1997022700 May 14 13:50:31 ns5 named[3456]: zone localdomain/IN/localhost_resolver: loaded serial 42 May 14 13:50:31 ns5 named[3456]: zone localhost/IN/localhost_resolver: loaded serial 1 May 14 13:50:31 ns5 named[3456]: zone cdbsystems.com/IN/external: loaded serial 1997022735 May 14 13:50:31 ns5 named[3456]: zone cdbsystems.com/IN/external: sending notifies (serial 1997022735) May 14 13:50:31 ns5 named[3456]: running May 14 13:50:31 ns5 named[3456]: client 192.168.2.1#1345: view internal: received notify for zone 'cdbsystems.com': not authoritative on ns4.cdbsystems.com (and ns5) the cdbsystems.hosts file contains: ------------------------------------- $TTL 84600 @ IN SOA cdbsystems.com. root.cdbsystems.com. ( 1997022735 ; Serial 3600 ; Refresh 14400 ; Retry 1209600 ; Expire 86400 ) ; TTL IN NS ns4.cdbsystems.com. IN NS ns5.cdbsystems.com. admin IN A 65.254.36.202 ns6 IN A 65.254.36.202 newbrutha IN A 65.254.36.202 cdbtest IN A 65.254.36.202 inthezoneonline IN A 65.254.36.202 ns5 IN A 71.163.161.26 ns4 IN A 65.254.36.202 www IN A 71.163.161.26 ns3 IN A 65.254.36.202 ns2 IN A 65.254.36.202 www2 IN A 65.254.36.202 ns1 IN CNAME admin wwwns5 IN CNAME admin ftp IN CNAME admin pop3 IN CNAME admin smtp IN CNAME admin mail IN CNAME admin cdbsystems.com. MX 50 ns4.cdbsystems.com. ----------------- any ideas as to how to diagnose the problem? I notice in messages reference to ports 953 and 1345 as far as I know the firewall is NOT passing those through - do I need to allow them? (most firewall setup howtos only mention 53 and making sure TCP and UDP are both allowed for DNS passthrough) any help is most welcome cdb.
Seems to respond for me: Code: mh1:~# dig @ns5.cdbsystems.com cdbsystems.com ; <<>> DiG 9.3.4 <<>> @ns5.cdbsystems.com cdbsystems.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46414 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cdbsystems.com. IN A ;; Query time: 107 msec ;; SERVER: 71.163.161.26#53(71.163.161.26) ;; WHEN: Thu May 15 19:44:20 2008 ;; MSG SIZE rcvd: 32 mh1:~#
really it gives status REFUSED - and provides no information. ns4.cdbsystems.com gives good status and provides all we need cdb.
possible information on stupid semi-question #3 I just realized (its been a LONG week) that I've got my centos server on static ip 192.168.2.50 now the router is forwarding traffic (including dns traffic hopefully) to 192.168.2.50. but maybe the REFUSED means that bind is not listening for requests to the external static ip? (71.163.161.26) if so, how to get bind to respond to both address properly? thanks cdb.
Sorry, I've overlooked the REFUSED... What's the output of Code: netstat -tap ? What's in named.conf?
netstat -tap here's from NS5: [root@ns5 rc5.d]# netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost.localdomain:2208 *:* LISTEN 2243/hpiod tcp 0 0 *:mysql *:* LISTEN 2399/mysqld tcp 0 0 *:sunrpc *:* LISTEN 2020/portmap tcp 0 0 ns5.cdbsystems.com:domain *:* LISTEN 16468/named tcp 0 0 localhost.localdomai:domain *:* LISTEN 16468/named tcp 0 0 *:ftp *:* LISTEN 2424/proftpd: (acce tcp 0 0 localhost.localdomain:ipp *:* LISTEN 2274/cupsd tcp 0 0 *:squid *:* LISTEN 3982/(squid) tcp 0 0 localhost.localdomain:rndc *:* LISTEN 16468/named tcp 0 0 localhost.localdomain:smtp *:* LISTEN 30379/sendmail: acc tcp 0 0 localhost.localdomain:2207 *:* LISTEN 2248/python tcp 0 0 *:959 *:* LISTEN 2049/rpc.statd tcp 0 0 ns5.cdbsystems.com:domain ns4.cdbsystems.com:55609 TIME_WAIT - tcp 1 0 ns5.cdbsystems.com:43767 192.150.18.46:http CLOSE_WAIT 2969/python tcp 1 0 ns5.cdbsystems.com:45051 hpc-mirror.usc.edu:http CLOSE_WAIT 2969/python tcp 1 0 ns5.cdbsystems.com:49617 hilbert.unl.edu:http CLOSE_WAIT 2969/python tcp 1 0 ns5.cdbsystems.com:49611 hilbert.unl.edu:http CLOSE_WAIT 2969/python tcp 1 0 ns5.cdbsystems.com:40206 ns1.centos.org:http CLOSE_WAIT 2969/python tcp 1 0 ns5.cdbsystems.com:40212 ns1.centos.org:http CLOSE_WAIT 2969/python tcp 0 0 *:http *:* LISTEN 2447/httpd tcp 0 0 *:ssh *:* LISTEN 2263/sshd tcp 0 0 localhost6.localdomain:rndc *:* LISTEN 16468/named tcp 0 0 *:https *:* LISTEN 2447/httpd tcp 0 0 ns5.cdbsystems.com:ssh ::ffff:192.168.2.1:dbstar ESTABLISHED 16207/1 tcp 0 0 ns5.cdbsystems.com:http crawl-66-249-67-10.go:35485 TIME_WAIT - [root@ns5 rc5.d]# as I noted before the eth0 is static 192.168.2.50 but ns5 in my cdbsystems.hosts is defined as 71.163.161.26. maybe the problem? do I need to have my 'external' address someplace special? I have port 53 t&u passed through to 192.168.2.50 from the router that is at 71.163.161.26. in named.conf: I have query-source port 53. in the external view i have: view "external" { /* This view will contain zones you want to serve only to "external" clients * that have addresses that are not on your directly attached LAN interface subnets: */ match-clients { !localnets; !localhost; }; match-destinations { !localnets; !localhost; }; recursion no; // you'd probably want to deny recursion to external clients, so you don't // end up providing free DNS service to all takers // all views must contain the root hints zone: include "/etc/named.root.hints"; // These are your "authoritative" external zones, and would probably // contain entries for just your web and mail servers: include "/etc/named.myzones"; }; my file 'named.myzones' contains all the zone statements. /etc/hosts contains: [root@ns5 etc]# cat hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 71.163.161.26 ns5.cdbsystems.com ns5 192.168.2.50 ns5.cdbsystems.com ns5 I'm thinking this is maybe a router issue? also, I notice than sendmail is not responding on port 25 when I telnet from ns4 - just get connection refused. maybe the two are linked? anything else you need? any ideas? thanks again. love your site! cdb.
Further info - no matching class error I turned on bind logging to debug 3 and when I do a query dig @ns5.cdbsystems.com from ns4, I'm getting: lient @0x555566eaf460: udprecv client 65.254.36.202#39458: UDP request client 65.254.36.202#39458: no matching view in class 'IN' client 65.254.36.202#39458: error client 65.254.36.202#39458: send client 65.254.36.202#39458: sendto client 65.254.36.202#39458: senddone client 65.254.36.202#39458: next client 65.254.36.202#39458: endrequest I'm googling to see what the problem is but obviously its a bind misconfiguration. my file named.myzones should be included in the EXTERNAL view, so not sure why its unhappy! cdb.
ifconfig, hosts Last login: Fri May 16 20:51:17 2008 from ip72-192-192-225.dc.dc.cox.net [root@ns5 ~]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:17:08:51:90:FC inet addr:192.168.2.50 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::217:8ff:fe51:90fc/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:520273 errors:0 dropped:0 overruns:0 frame:0 TX packets:394473 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:122350600 (116.6 MiB) TX bytes:93703061 (89.3 MiB) Interrupt:193 [root@ns5 ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 71.163.161.26 ns5.cdbsystems.com ns5 192.168.2.50 ns5.cdbsystems.com ns5 [root@ns5 ~]# I added the second ns5 line in hosts thinking that might help cdb.
problem solved turns out I needed to have in the named.conf view 'external' match-clients { any; }; match-destinations { any; }; now dig @ns5.cdbsystems.com whatever seems to respond ok! now back to the sendmail issue cdb.
this seems similar to what's going on with my situation. (listed in the bind network issue post) but when i attempted to add: match-clients { any; }; match-destinations { any; }; i recieved the following error: May 18 17:47:51 shinra named[16739]: /etc/bind/named.conf.options:25: unknown option 'match-clients' May 18 17:47:51 shinra named[16739]: /etc/bind/named.conf.options:26: unknown option 'match-destinations' May 18 17:47:51 shinra named[16739]: loading configuration: failure i added the match-clients and match-destinations to my named.conf.options file as listed below: view "external" { match-clients { any; }; match-destinations { any; }; recursion no; include "/etc/bind/named.root.hints"; include "/etc/bind/x90its.db"; include "/etc/bind/swamphawglures.db"; include "/etc/bind/burrellfishing.db"; }; Am I doing something wrong? I will continue to look this up online; but if anyone has any ideas let me know.
